Despite privacy regulations being long established, a new survey finds that 90 percent of companies remain unprepared for the California Consumer Privacy Act of 2018 (the CCPA) and the European Union requirements, General Data Protection Regulation (GDPR). This is based on new research by the company. CYTRIO
CYTRIO’s data privacy research shows CCPA non-compliance from Q4 2021 continues into Q1 2022 despite impending enforcements.
According to Vijay Basani, founder and CEO of CYTRIO: “Our continuous research confirms that first generation privacy rights management solutions have not gained wide adoption due to cost and deployment complexity, resulting in a high percentage of CCPA non-compliance.”
This presents a warning sign for many businesses given that CPRA enforcement takes effect in 2023. This will include a stringent 12-month lookback.
These concerns will be boosted by increased awareness of their data privacy rights by consumers coupled with the rise of data aggregators. These are driving an increased number of data requests.
CYTRIO released its State of CCPA Compliance research results in January 2022, studying 5,175 U.S. companies with revenues ranging from $25 million to more than $5 billion. The findings showed that only 11 percent of companies were fully meeting CCPA requirements, while 89 percent of companies were either non-compliant or somewhat compliant.
From January to March 2022, CYTRIO researched an additional 1,570 companies for CCPA and GDPR DSAR compliance, bringing the total to 6,745 companies to date.
This most recent research shows only 10 percent of companies have deployed an automated CCPA Data Subject Access Request (DSAR) management solutions. DSAR is a submission by an individual (data subject) to a business asking to know what personal information of theirs has been collected and stored as well as how it is being used.
Furthermore, business-to-business and business-to-consumer companies of all sizes are equally and poorly unprepared for CCPA compliance.
In addition, many firms appear to be woefully unprepared for GDPR compliance, despite the regulation going into effect in May 2018 with $1.8 billion fines levied as of March 2022.
From Q4 2021 to Q1 2022, the top three most compliant company types remained consistent. Here, Business Services, Retail, and Finance made up 54 percent of the companies researched. While the top three most compliant states (California, New York, and Texas) remained the same, the total number of companies from those states as a percentage of total companies decreased from 31 percent to 25% percent. This suggests other states seem are catching up.
Meanwhile, other legislation relating to privacy is on the increase. In March 2022, Utah passed the Utah Consumer Privacy Act, becoming the fourth state to enact privacy legislation in the U.S., behind California, Colorado, and Virginia. Currently, 22 states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, have multiple consumer privacy legislation pending.
The regulatory landscape for businesses of all varieties is tightening.
